Adding some additional tweaks and updates.

This just does some additional cleanup and refactors some items in the chart. Just need to get the test implemented. Signed-off-by: Jamie Phillips <[email protected]>
kubernetes-sigs · Feb 20, 2022 · 5d7fb63 · 5d7fb63
1 parent 1addeec
commit 5d7fb63
Show file tree

Hide file tree

Showing 12 changed files with 76 additions and 46 deletions.
diff --git a/admission-webhook/gmsa-0.3.0.tgz b/admission-webhook/gmsa-0.3.0.tgz
diff --git a/charts/v0.3.0/gmsa/templates/_helpers.tpl b/charts/v0.3.0/gmsa/templates/_helpers.tpl
@@ -4,3 +4,43 @@
 {{- end -}}
 {{- end -}}
 
+{{/* Create chart name and version as used by the chart label. */}}
+{{- define "gmsa.chartref" -}}
+chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+{{- end }}
+
+{{/* Determine apiVersion for cert-manager */}}
+{{- define "cert-manager.apiversion" -}}
+  {{- $certmanagerVer :=  split "." .Values.certificates.certManager.version -}}
+  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
+apiVersion: cert-manager.io/v1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
+apiVersion: cert-manager.io/v1beta1
+  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha2
+  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
+apiVersion: cert-manager.io/v1alpha1
+  {{- else }}
+apiVersion: cert-manager.io/v1
+  {{- end }}
+{{- end }}
+
+{{- define "certificates.cabundle"}}
+{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.certificates.secretName) -}}
+{{- if lt (len $secret) 1 -}}
+{{- required (printf "CA Bundle secret '%s' in namespace '%s' must exist" .Values.certificates.secretName .Release.Namespace) "" -}}
+{{- else -}}
+{{- if not (hasKey $secret "data") -}}
+{{- required (printf "CA Bundle secret '%s' in namespace '%s' is empty" .Values.certificates.secretName .Release.Namespace) "" -}}
+{{- end -}}
+{{- if or (not (hasKey $secret.data "ca.crt")) (not (hasKey $secret.data "tls.crt")) (not (hasKey $secret.data "tls.key")) -}}
+{{- required (printf "CA Bundle secret '%s' in namespace '%s' must contain ca.crt, tls.key, and tls.cert; found the following keys in the secret: %s" .Values.certificates.secretName .Release.Namespace $secret.data) "" -}}
+{{- end -}}
+{{- end -}}
+{{- get $secret.data "ca.crt" }}
+{{- else -}}
+INSERT_CERTIFICATE_FROM_SECRET
+{{- end -}}
+{{- end }}
+
diff --git a/charts/v0.3.0/gmsa/templates/clusterrole.yaml b/charts/v0.3.0/gmsa/templates/clusterrole.yaml
@@ -5,12 +5,12 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ .Release.Name }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 rules:
   - apiGroups: ["windows.k8s.io"]
     resources: ["gmsacredentialspecs"]
     verbs: ["get", "use"]
   - apiGroups: ["authorization.k8s.io"]
     resources: ["localsubjectaccessreviews"]
     verbs: ["create"]
+
diff --git a/charts/v0.3.0/gmsa/templates/clusterrolebinding.yaml b/charts/v0.3.0/gmsa/templates/clusterrolebinding.yaml
@@ -3,8 +3,7 @@ kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: {{ .Release.Name }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
     name: {{ .Release.Name }}
@@ -13,3 +12,4 @@ roleRef:
   kind: ClusterRole
   name: {{ .Release.Name }}
   apiGroup: rbac.authorization.k8s.io
+
diff --git a/charts/v0.3.0/gmsa/templates/credentialspec.yaml b/charts/v0.3.0/gmsa/templates/credentialspec.yaml
@@ -3,8 +3,7 @@ apiVersion: windows.k8s.io/v1
 kind: GMSACredentialSpec
 metadata:
   name: {{ lower .Values.credential.domainJoinConfig.machineAccountName }}  #This is an arbitrary name but it will be used as a reference
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 credspec:
   ActiveDirectoryConfig:
     GroupManagedServiceAccounts:
@@ -22,3 +21,4 @@ credspec:
     NetBiosName:  {{ .Values.credential.domainJoinConfig.netBiosName }} #NETBIOS Domain Name
     Sid:  {{ .Values.credential.domainJoinConfig.sid }} #SID of GMSA
 {{- end -}}
+
diff --git a/charts/v0.3.0/gmsa/templates/deployment.yaml b/charts/v0.3.0/gmsa/templates/deployment.yaml
@@ -3,8 +3,7 @@ kind: Deployment
 metadata:
   name: {{ .Release.Name}}
   namespace: {{.Release.Namespace}}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 spec:
   replicas: 1
   selector:
@@ -15,6 +14,9 @@ spec:
       labels:
         app: {{ .Release.Name }}
     spec:
+      {{- if .Values.podSecurityContext }}
+      securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- end }}
       serviceAccountName: {{ .Release.Name }}
       affinity:
         nodeAffinity:
@@ -37,9 +39,9 @@ spec:
             httpGet:
               scheme: HTTPS
               path: /health
-              port: 443
+              port: {{ .Values.containerPort }}
           ports:
-            - containerPort: 443
+            - containerPort: {{ .Values.containerPort }}
           volumeMounts:
             - name: tls
               mountPath: "/tls"
@@ -49,6 +51,11 @@ spec:
               value: /tls/key
             - name: TLS_CRT
               value: /tls/crt
+            - name: HTTPS_PORT
+              value: {{ .Values.containerPort }}
+      {{- if .Values.securityContext }}
+      securityContext: {{ toYaml .Values.securityContext | nindent 12 }}
+      {{- end }}
       volumes:
         - name: tls
           secret:
@@ -58,3 +65,4 @@ spec:
                 path: key
               - key: tls.crt
                 path: crt
+
diff --git a/charts/v0.3.0/gmsa/templates/issuer.yaml b/charts/v0.3.0/gmsa/templates/issuer.yaml
@@ -1,23 +1,10 @@
 {{- if .Values.certificates.certManager.enabled -}}
-  {{- $certmanagerVer :=  split "." .Values.certificates.certManager.version -}}
-  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
-apiVersion: cert-manager.io/v1
-  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
-apiVersion: cert-manager.io/v1beta1
-  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
-apiVersion: cert-manager.io/v1alpha2
-  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
-apiVersion: certmanager.k8s.io/v1alpha1
-  {{- else }}
-# Setting latest version as default
-apiVersion: cert-manager.io/v1
-  {{- end }}
+{{ template "cert-manager.apiversion" . }}
 kind: Certificate
 metadata:
   name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 spec:
   dnsNames:
     - {{ .Release.Name }}.{{ .Release.Namespace }}.svc
@@ -27,24 +14,13 @@ spec:
     name: {{ .Release.Name }}
   secretName: {{ .Values.certificates.secretName }}
 ---
-  {{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 1) (ge (int $certmanagerVer._1) 0)) }}
-apiVersion: cert-manager.io/v1
-  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
-apiVersion: cert-manager.io/v1beta1
-  {{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
-apiVersion: cert-manager.io/v1alpha2
-  {{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
-apiVersion: certmanager.k8s.io/v1alpha1
-  {{- else }}
-# Setting latest version as default
-apiVersion: cert-manager.io/v1
-  {{- end }}
+{{ template "cert-manager.apiversion" . }}
 kind: Issuer
 metadata:
   name: {{ .Release.Name }}
   namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 spec:
   selfSigned: {}
 {{- end -}}
+
diff --git a/charts/v0.3.0/gmsa/templates/mutatingwebhook.yaml b/charts/v0.3.0/gmsa/templates/mutatingwebhook.yaml
@@ -6,6 +6,7 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
   {{- end }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 webhooks:
   - name: admission-webhook.windows-gmsa.sigs.k8s.io
     clientConfig:
@@ -30,3 +31,4 @@ webhooks:
         - key: gmsa-webhook
           operator: NotIn
           values: [disabled]
+
diff --git a/charts/v0.3.0/gmsa/templates/service.yaml b/charts/v0.3.0/gmsa/templates/service.yaml
@@ -3,11 +3,11 @@ kind: Service
 metadata:
   name: {{ .Release.Name }}
   namespace: {{.Release.Namespace}}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: {{ .Values.containerPort }}
   selector:
     app: {{ .Release.Name }}
+
diff --git a/charts/v0.3.0/gmsa/templates/serviceaccount.yaml b/charts/v0.3.0/gmsa/templates/serviceaccount.yaml
@@ -4,5 +4,5 @@ kind: ServiceAccount
 metadata:
   name: {{ .Release.Name }}
   namespace: {{.Release.Namespace}}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
+
diff --git a/charts/v0.3.0/gmsa/templates/validatingwebhook.yaml b/charts/v0.3.0/gmsa/templates/validatingwebhook.yaml
@@ -6,8 +6,7 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Release.Name }}
   {{- end }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+  labels: {{ include "gmsa.chartref" . | nindent 4 }}
 webhooks:
   - name: admission-webhook.windows-gmsa.sigs.k8s.io
     clientConfig:
@@ -32,3 +31,4 @@ webhooks:
         - key: gmsa-webhook
           operator: NotIn
           values: [disabled]
+
diff --git a/charts/v0.3.0/gmsa/values.yaml b/charts/v0.3.0/gmsa/values.yaml
@@ -18,6 +18,8 @@ credential:
     netBiosName: ""  #NETBIOS Domain Name
     sid: "" #SID of GMSA
 
+containerPort: 443
+
 image:
   repository: sigwindowstools/k8s-gmsa-webhook
   tag: v0.3.0
@@ -26,5 +28,7 @@ image:
 global:
   systemDefaultRegistry: ""
 
+podSecurityContext: {}
+securityContext: {}
 tolerations: []